SummaryMalware is a serious problem. Nobody denies that. If you listen carefully to anti-malware mavens in the lobby bar at the next IA conference you attend, another thing that is agreed is that the current way of doing things using signatures is reaching its end of life. Even the anti-malware vendors privately agree that this is becoming the case. That leaves us with very few options given the current state of the practice. Artificial immune systems aren't quite soup yet and behavior analysis tools aren't solid either since the bad guys keep coming up with innocuous-looking behavior that masks really nasty stuff. So what are we to do?
Triumfant has taken a page from products such as Tripwire that look for changes in files, and expanded that to over 200,000 elements that characterize the entire computer and everything on it. But, as they say on the late night infomercials, there's more. Triumfant can perform remediation on the fly and can create pristine machines by taking a known good machine and using it as a donor for the damaged machine. This is a major improvement over most current anti-malware products.
This product behaves a lot like traditional endpoint protection in that it places a lightweight agent on the endpoint. The agent creates a profile of the properly operating device as a baseline. It then looks for changes against the baseline and takes action. However, in addition to looking at an individual endpoint, Triumfant looks at the entire endpoint population and uses that information to give context to its individual scans.
Several years ago, we saw the earliest attempts at behavior-based virus detection. This earlier technology allowed us to identify virus or virus-like activity even if we did not know what the virus was. As operating systems have become more complicated, this technique has become less reliable, as has heuristic scanning. As the number of malware becomes larger, the efficacy of signature-based scanning has become reduced as well, especially with the increase of malware that can change their signatures. It seems to us that Triumfant's approach suggests a way through those challenges.
The problem it solves: Control of malware at the endpoints.
What we liked: Comprehensive approach that depends on profiling a huge number of variables.
What we didn't like: Nothing.